University Policies and Procedures Manual (previously Business Policies and Procedures Manual)
Personnel Security
UPPM 87.60
For more information contact:
Information Technology Services
Contents
1.0 Overview and Purpose
1.1 Information Assurance Policies Generally
The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:
- Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
- Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
- Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.
The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:
- Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
- Dictate which security controls are mandatory based upon the categorization level;
- Define the strength, frequency, and formalization of those controls; and
- Influence audit burden and continuous monitoring rigor.
See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.
1.2 Specific Policy Overview and Purpose
Protection of WSU’s information systems and data requires appropriate screening, onboarding, monitoring, and departure procedures for personnel. This policy sets forth roles, responsibilities, and requirements for ensuring those with access to WSU systems and information meet WSU’s security requirements.
2.0 Applicability
This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.
Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.
3.0 Roles and Responsibilities
3.1 Chief Information Officer
The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.
3.2 Information System Owners
WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.
3.3 Office of Information Security and Assurance (OISA)
WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).
Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.
4.0 Requirements
Security and privacy roles and responsibilities are to be incorporated into WSU position descriptions when applicable.
ITS and HRS will work together to assign risk designations and screening criteria to all WSU employment positions and to review and update risk designations regularly.
Individuals are to be screened in accordance with UPPM 60.16 prior to being granted access to systems and at designated intervals thereafter.
- If a candidate is hired into a position with a security role that has access to personally identifiable information (PII), the hiring department must ensure a background check has been completed.
Employee departure procedures are to be conducted in accordance with UPPM 60.74:
- Upon departure, access to systems must be disabled and any authenticators and/or credentials are to be ended or revoked;
- Exit interviews are to be performed and, as applicable, include a discussion about information security related topics;
- All WSU property must be returned to a designated WSU location;
- WSU Information Owners, or their delegates, must take measures to retain access to information and systems formerly controlled by the departing individual, in accordance with UPPM 90.01; and
- High-impact systems must use automated mechanisms to notify and/or disable access to resources.
When individuals transfer or get reassigned, Information Owners, or their delegates, must review and confirm their logical and physical access authorizations to systems and facilities. When reassignment occurs, actions are to be taken to modify access authorizations to correspond with the new position requirements within a timely manner.
Employee access agreements must be developed to support acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with WSU systems. Access agreements are to be signed prior to granting access and reviewed and updated regularly.
Personnel security requirements are to be established and documented for external providers that include security roles and responsibilities.
External provider personnel are required to comply with WSU security policies and procedures.
Information System Owners, or their delegates, must be notified when external personnel who possess WSU system credentials and/or badges, or who have WSU system privileges, are transferred or terminated.
5.0 Training
See UPPM 87.21 for training requirements related to UPPM Chapter 87.
In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.
_______________________
Revisions: May 2026 (Rev. 656-NEW).